analyst@nohacky:~/threat-actors$
cat/threat-actors/noname057
analyst@nohacky:~/noname057.html
active threatprofile
typeHacktivism
threat_levelMedium
statusActive
originRussia — pro-Kremlin hacktivism
last_updated2026-03-27
NN
noname057

NoName057(16)

also known as: 05716nnm Nnm05716 NoName057 NoName05716 tool: DDoSia Project

Russia's most prolific state-aligned hacktivist collective — created by CISM (Centre for the Study and Network Monitoring of the Youth Environment) as a covert Kremlin project, with CISM staff developing the DDoSia tool, funding infrastructure, and serving as channel administrators. Active since March 2022, the group has maintained an average of 50 DDoS attacks per day, targeting over 3,700 unique hosts across NATO member states and Ukraine allies between mid-2024 and mid-2025 alone. Its volunteer-driven DDoSia platform — which pays cryptocurrency to participants — has transformed pro-Kremlin sympathizers worldwide into a distributed attack network that persists and adapts despite repeated law enforcement disruptions.

attributed originRussia — CISM (state-backed, covert Kremlin project)
assessed sponsorKremlin / Russian state (CISA attribution, Dec 2025)
first observedMarch 2022
primary motivationPro-Kremlin information warfare — disrupt Ukraine allies
primary targetsGovernment, Transport, Finance — NATO / Ukraine-supporting states
operational tempo~50 unique targets per day (avg, Jul 2024–Jul 2025)
le actionOperation Eastwood — July 14–17, 2025
target regionsUkraine (29%), France (6%), Italy (5%), Sweden (5%), broader NATO
current statusACTIVE — defiant post-Eastwood, continuing operations

Overview

NoName057(16) emerged in March 2022, days after Russia launched its full-scale invasion of Ukraine, and rapidly became the most operationally consistent pro-Russian hacktivist group in the conflict's cyber dimension. Unlike many hacktivist collectives that surge in response to specific events and then fade, NoName057(16) has sustained a high and steady operational tempo for over three years — publishing new target lists, claiming attack results, and recruiting volunteer participants daily through its Telegram channels.

A December 2025 joint advisory from CISA, the FBI, and international partners formally attributed the group's creation to CISM — the Centre for the Study and Network Monitoring of the Youth Environment, a Russian state-linked organization established at the Kremlin's direction. According to the advisory, senior executives and employees within CISM developed and customized the DDoSia tool, paid for network infrastructure, served as administrators on the group's Telegram channels, and selected DDoS targets. This attribution makes NoName057(16) meaningfully different from genuinely organic hacktivist collectives: it is a state-manufactured operation with deliberate deniability built in through its volunteer structure.

The DDoSia Project — the group's custom crowdsourced DDoS platform — is the operational core. Participants download the DDoSia client, which receives target lists and attack parameters from the group's command-and-control infrastructure, and execute attacks in exchange for cryptocurrency rewards. This model lowers the technical barrier to participation to near zero while distributing attack traffic across a large, geographically dispersed volunteer base that is difficult to attribute and disrupt. The tool has evolved substantially from a Windows-only proof of concept into a modular, multi-platform framework supporting Windows, Linux, ARM, and Android, with encrypted C2, traffic randomization, and realistic client signatures designed to defeat CDN and rate-limiting defenses.

The group's targeting is geopolitically reactive: campaigns are consistently timed to Western diplomatic actions, military aid announcements, NATO membership decisions, and political developments unfavorable to Russian interests. Countries are targeted in sequence as they take high-profile actions supporting Ukraine — Finland when it joined NATO, Lithuania over the Kaliningrad transit restrictions, Denmark over support for Ukraine, the Netherlands over Dutch aid decisions. The attacks are primarily disruptive rather than destructive, aiming to generate media coverage, signal Russian cyber capability, and demonstrate consequences for supporting Ukraine — consistent with information warfare objectives rather than operational damage goals.

In 2024, NoName057(16) began collaborating more extensively with other pro-Russian hacktivist groups, particularly the Cyber Army of Russia Reborn (CARR). By mid-2024, the two groups were operating a joint Telegram chat. In September 2024, administrators from both groups formed Z-Pentest, a hybrid entity that has shifted beyond DDoS toward claimed OT intrusions targeting Western critical infrastructure. In July 2025, Operation Eastwood — a Europol-coordinated international action — led to two arrests, seven arrest warrants, and 24 house searches across six European countries. NoName057(16) responded by dismissing the operation on Telegram, urging followers to "not believe all this nonsense of foreign special services," and reaffirming continued operations in support of Russia. The group has remained active since.

Target Profile

NoName057(16)'s targeting is geopolitically structured rather than sector-opportunistic. Targets are selected to signal retribution for specific national-level actions and to generate media coverage that amplifies the group's political messaging.

  • Ukraine (29% of targets, Jul 2024–Jul 2025): The foundational target and the stated raison d'être of the group. Ukrainian government, media, and infrastructure websites were the first targets in March 2022 and remain the largest single country category by target count. Ukrainian media portals, government sites, and news organizations are routinely attacked following military or political developments.
  • Government and Public Sector (41% of all targets by sector): The most heavily targeted sector category across all geographies. Government ministry websites, parliament portals, local council sites, and public administration infrastructure are priority targets because their disruption generates maximum visibility and is easy to claim publicly as a retaliatory response to specific political decisions.
  • NATO Member States — Sequential Targeting: Countries are targeted when they take specific actions opposing Russian interests. Finland's parliament was attacked after NATO membership. Lithuania's infrastructure was attacked over Kaliningrad transit restrictions. Denmark's finance sector and government agencies were targeted over Ukrainian support. The Netherlands experienced attacks during Dutch aid decisions. Poland, Sweden, Germany, Czech Republic, Italy, France, Spain, and others have all been targeted in geopolitically reactive campaigns.
  • Transportation and Logistics (12% of targets): Train ticket systems, port operations, and logistics operators — particularly targeting systems used by ordinary citizens — to create visible public disruption that generates news coverage and demonstrates the cost of the host country's Ukraine support.
  • Financial Sector: Banks, payment processors, and financial ministry websites are targeted to disrupt financial services. Denmark's finance sector was specifically targeted in early 2023. Financial sector attacks carry high media impact relative to actual service disruption.
  • Critical Infrastructure (emerging, via Z-Pentest): Through the Z-Pentest partnership formed in September 2024, NoName057(16)-affiliated operators have begun claiming OT intrusions against water and wastewater systems, food and agriculture, and energy sector targets in Western countries — an escalation beyond traditional DDoS that CISA flagged in its December 2025 advisory.

Tactics, Techniques & Procedures

NoName057(16)'s TTP set is specialized for high-frequency, low-dwell disruption operations. Unlike APTs that seek persistence, the group's model is one of constant bombardment — rapid target selection, distributed attack execution, public claim, and cycle. The DDoSia infrastructure has been continuously refined to defeat defensive measures deployed in response to prior campaigns.

mitre idtechniquedescription
T1498.001 Network DoS — Direct Network Flood HTTP GET floods, SYN floods, and high-volume UDP traffic directed at target web services on ports 80 and 443. The DDoSia client executes the flood type assigned by the C2 infrastructure based on the capabilities of the volunteer's node and the characteristics of the specific target. Multiple attack types can be layered across a single target from different volunteer nodes simultaneously.
T1499.003 Application Layer Protocol — Slow Loris / HTTP Exhaustion Slow connection methods and HTTP HEAD floods are used alongside volumetric attacks to exhaust server connection pools and bypass CDN protections that filter simple volumetric traffic. Application-layer techniques that force traffic past CDN and DDoS mitigation services are documented capabilities of recent DDoSia versions. Cache-busting parameters are added to defeat CDN-level caching that would otherwise absorb GET flood traffic.
T1583.004 Acquire Infrastructure — Server DDoSia operates on a two-tier infrastructure architecture. Tier 1 consists of short-lived proxy servers (average lifespan approximately nine days, many rotated daily) that communicate directly with volunteer DDoSia clients on port 80. Tier 2 consists of backend servers hosting core logic and target lists, accessible only via access control lists permitting connections from known Tier 1 addresses. This separation ensures the backend infrastructure remains operational even when surface-facing Tier 1 nodes are identified and blocked.
T1572 Protocol Tunneling — Encrypted C2 Recent DDoSia versions use encrypted C2 communications between volunteer clients and Tier 1 servers, replacing earlier plaintext protocols. Traffic randomization and realistic client signatures are incorporated to mimic legitimate browser traffic, complicating behavioral detection by network security tools that monitor for anomalous traffic patterns.
T1588.001 Obtain Capabilities — Malware (DDoSia) The DDoSia client is distributed to volunteers through Telegram channels, GitHub repositories, and the group's websites. Volunteers download the client, register with the C2 infrastructure, and receive attack assignments. The client is available for Windows, Linux, ARM-based devices, and Android, maximizing the pool of eligible participants. Cryptocurrency rewards (typically in cryptocurrency tokens) are distributed to volunteers based on their contribution to attack execution.
T1591 Gather Victim Organization Information Target reconnaissance focuses on identifying the IP addresses and hostnames of web-facing government, financial, and transportation portals in target countries. Targets are identified by group operators based on geopolitical trigger events and posted to Telegram. New target batches are added in two consistent daily waves: a primary surge between 05:00 and 07:00 UTC and a secondary wave around 11:00 UTC — a pattern consistent with a standard Russian work schedule.
T1583.006 Acquire Infrastructure — Web Services (Telegram) Telegram is the primary command, coordination, and propaganda channel. The group publishes target lists, claims attack results with screenshots, distributes DDoSia software updates, mocks failed defenses, posts pro-Russian political content, and recruits new volunteers through Telegram channels with large subscriber counts. Regional sub-channels (NoName057(16) Spain, Italy, France) extend geographic reach and language accessibility.
T1498 OT/ICS Targeting (via Z-Pentest, 2024–) Through the Z-Pentest hybrid group formed with CARR in September 2024, NoName057(16)-affiliated operators have expanded beyond DDoS to claimed intrusions against OT assets. Minimally secured internet-facing VNC connections to ICS/SCADA control systems in water utilities, food and agriculture, and energy sectors have been targeted. CISA's December 2025 advisory documented physical damage resulting from these operations in some cases.
state-manufactured, not organic

CISA's December 2025 advisory formally assessed that CISM — a Kremlin-established organization — created NoName057(16) as a covert project. CISM staff developed DDoSia, funded infrastructure, and administered Telegram channels. The "volunteer hacktivist" framing provides the Russian state with plausible deniability while maintaining control over targeting decisions and operational tempo. Defenders and policymakers should assess NoName057(16) attacks as state-directed information warfare operations rather than independent citizen activism.

Known Campaigns & Milestones

Key operational milestones and geopolitically reactive campaign waves across NoName057(16)'s three-year operational history.

Launch — Ukraine Media and Government Attacks March 2022

NoName057(16) declared itself in March 2022, days after Russia's full-scale invasion of Ukraine. Initial attacks targeted Ukrainian news portals (Zaxid, Fakty UA) and media websites. The group established its Telegram-based coordination model and began the continuous targeting cadence that would define its operations. American companies across various sectors were also targeted in early campaigns, establishing the group's global reach from the outset.

Lithuania — "Revenge for Kaliningrad" June–July 2022

Following Lithuania's restrictions on transit of Russian goods to Kaliningrad, NoName057(16) declared "revenge for Kaliningrad" and launched a sustained campaign against Lithuanian internet infrastructure. The group called on other pro-Russian hacktivist communities to join the operation, and conducted over 200 attacks on Lithuanian internet resources across approximately one month. The Lithuanian Ministry of Defense characterized the participants as pro-Russian "volunteer activists."

Danish Finance Sector and Government Agencies January 2023

Citing Danish support for Ukraine, NoName057(16) attacked Danish financial sector businesses and the Danish Ministry of Finance. Subsequent 2023 operations targeted the Danish data commissioner's website and, later, Danish municipalities and the Ministry of Transportation. Attack downtime for targeted municipalities was typically under 30 minutes — consistent with the group's pattern of brief but frequent disruptions rather than sustained outages.

Finland Parliament — NATO Accession Response April 2023

On April 4, 2023, the day Finland formally joined NATO, NoName057(16) attacked the website of the Finnish Parliament. The attack caused sufficient disruption that Finnish criminal police launched a preliminary investigation. The targeting pattern — attacking on the exact day of a geopolitically significant event — is characteristic of the group's reactive targeting model.

Netherlands — Translink and Dutch Infrastructure November 2023

In response to Dutch support for Ukraine, NoName057(16) targeted Dutch organizations including Translink, the company operating the ov-chipkaart public transport smart card system. Translink reported temporary website unavailability. The attack was presented as retaliation for Dutch government decisions, consistent with the group's political messaging framework.

UK Local Councils — October 2024 Wave October 2024

On October 28 and 30, 2024, NoName057(16) targeted 13 UK local authorities in two waves. The first wave resulted in service disruption for 6 councils; the second disrupted 3. This campaign demonstrated the group's expansion into UK-specific targeting as part of its broader NATO-member campaign coverage.

Z-Pentest Formation — OT Targeting Escalation September 2024 onward

In September 2024, administrators from NoName057(16) and CARR formed Z-Pentest, a hybrid group targeting OT assets in Western critical infrastructure — moving beyond DDoS into claimed SCADA and ICS intrusions. The group has claimed intrusions against water utilities, food and agriculture systems, and energy infrastructure. CISA's December 2025 advisory documented that some of these OT intrusions resulted in physical damage. In March 2025, Z-Pentest posted evidence of OT intrusions using a NoName057(16) cyberattack hashtag; in April 2025, Z-Pentest shared a video claiming HMI defacement referencing both NoName057(16) and CARR.

Operation Eastwood — International Disruption Action July 14–17, 2025

Europol coordinated Operation Eastwood across July 14–17, 2025, involving law enforcement from Czechia, France, Finland, Germany, Italy, Lithuania, Poland, Spain, Sweden, Switzerland, the Netherlands, and the United States, with support from Belgium, Canada, Estonia, Denmark, Latvia, Romania, and Ukraine. The operation dismantled a major part of the group's central server infrastructure and more than 100 systems globally, arrested two individuals (one preliminary arrest in France, one in Spain), issued seven arrest warrants (six from Germany, one from Spain), and conducted 24 house searches across six European countries. Six Russian nationals were added to the EU Most Wanted list. Eurojust and Europol released warrants for six named individuals including a named central suspect. NoName057(16) responded on Telegram within hours, dismissing the arrests and pledging continued operations. The group has remained active since.

Tools & Infrastructure

NoName057(16)'s capability is almost entirely defined by the DDoSia Project — a continuously developed, purpose-built crowdsourced DDoS platform. Secondary capabilities include a sophisticated Telegram-based propaganda and coordination infrastructure.

  • DDoSia Project (v1–current): The group's custom DDoS client, distributed to volunteers via Telegram, GitHub, and associated websites. Version 1 was Windows-only with limited functionality and no defense evasion. Current versions support Windows, Linux, ARM-based devices, and Android. Attack capabilities include HTTP GET floods, SYN floods, HTTP HEAD floods, Slow Loris-style connection exhaustion, and cache-busting. Defense evasion features include traffic randomization and realistic browser client signatures. C2 communication is encrypted. The client receives target lists from Tier 1 C2 servers and executes the assigned attack type based on node capabilities. Participants are compensated in cryptocurrency tokens based on their attack volume contribution.
  • Two-Tier C2 Infrastructure: Tier 1 servers are public-facing proxies with an average lifespan of approximately nine days; many are rotated daily. They handle volunteer client communications on port 80. Tier 2 backend servers host target lists and core logic, accessible only from known Tier 1 IPs via strict access control lists. This architecture ensures that discovery and blocking of Tier 1 nodes — which defenders frequently achieve — does not disrupt the underlying operation. New Tier 1 nodes are provisioned continuously.
  • Telegram Channel Network: The primary operational and propaganda platform. The main channel publishes target lists, claims attacks with screenshots of disrupted services, mocks defenders, shares DDoSia software updates, and posts political content. Regional sub-channels operate in local languages for France, Italy, Spain, and other target countries to maximize volunteer recruitment in those geographies. The channel continues to grow despite infrastructure disruptions and law enforcement actions.
  • GitHub Repositories (historical): DDoSia code and documentation were hosted on GitHub for extended periods before removals. The use of GitHub provided legitimacy, discoverability, and easy volunteer access — GitHub's trust reputation helped bypass network filters that might have blocked unknown download sites.
  • Cryptocurrency Payment System: Volunteers are paid in cryptocurrency (documented as tokens in the group's own ecosystem) based on their DDoS contribution volume. This incentive structure differentiates DDoSia from botnet models where infected machines are involuntary participants — DDoSia volunteers opt in knowingly, aware of the payment incentive, providing legal complexity for prosecution while expanding the effective participant pool.

Indicators & Detection

NoName057(16)'s C2 infrastructure rotates frequently — Tier 1 nodes average nine-day lifespans. Static IP and domain blocklists are rapidly stale. Behavioral detection focused on traffic patterns is more durable.

rapid infrastructure rotation

Tier 1 C2 servers average a nine-day lifespan with daily rotation common. Static blocklists of known DDoSia C2 IPs will be stale within days of publication. Organizations in target sectors should subscribe to threat intelligence feeds that provide near-real-time C2 infrastructure updates. Recorded Future's Insikt Group and CISA publish updated infrastructure data through government partners.

attack traffic behavioral signatures
trafficHigh-volume HTTP GET requests to port 80/443 with varying user-agent strings (randomized)
trafficSYN flood patterns — large volumes of half-open TCP connections without completion
trafficSlow Loris connection exhaustion — large numbers of slow, incomplete HTTP connections
trafficHTTP HEAD floods — repeated HEAD requests designed to consume server processing without CDN absorption
timingAttack initiation often 05:00–07:00 UTC or ~11:00 UTC (Russian work schedule alignment)
patternSustained attack over hours to days from large numbers of geographically distributed source IPs
patternAttack claims posted to NoName057(16) Telegram channel within hours of traffic onset
ddosia c2 infrastructure characteristics
portPort 80 — Tier 1 C2 client communication
lifespanTier 1 nodes average ~9 days; daily rotation is common
hostingTier 1 nodes frequently provisioned from bulletproof or permissive hosting providers
accessTier 2 backend protected by ACL permitting only known Tier 1 source IPs
intel feedsRecorded Future (Insikt Group) and CISA publish near-real-time C2 infrastructure data

Mitigation & Defense

NoName057(16) targets are selected reactively in response to geopolitical events, not through technical pre-attack reconnaissance of specific organizational vulnerabilities. Defenses must be deployed before the targeting decision is made.

  • Deploy dedicated DDoS mitigation services before an attack occurs: Cloud-based DDoS mitigation (Cloudflare, Akamai, AWS Shield, Fastly) provides the best first-line defense against DDoSia traffic. NoName057(16) explicitly adapts its attack techniques to bypass CDN caching and rate-limiting — ensuring the mitigation provider is configured specifically against application-layer techniques (not just volumetric) is critical. Organizations in sectors regularly targeted by the group (government, transport, finance in NATO members) should deploy mitigation proactively rather than reactively.
  • Subscribe to threat intelligence for early warning: NoName057(16) announces targets on Telegram before or during attacks. Organizations in sectors and countries regularly targeted should monitor the group's Telegram channel or subscribe to threat intelligence services that do so, providing minutes to hours of warning before attack traffic arrives. CISA shares IOC packages with critical infrastructure operators through its information sharing programs.
  • Implement rate limiting and connection limits at the edge: Application-layer Slow Loris and HEAD flood techniques target connection pool exhaustion rather than raw bandwidth. Web application firewalls (WAFs) configured with connection rate limits, Slow Loris detection, and HTTP header anomaly rules provide a meaningful additional control layer on top of volumetric DDoS mitigation.
  • Distribute services across multiple IPs and CDN anycast nodes: DDoSia targets specific IP addresses and hostnames from published target lists. Infrastructure that serves from multiple IPs and CDN anycast nodes forces the attacking volunteer base to distribute traffic across a wider attack surface, reducing per-endpoint impact. Rotating IP addresses following the start of an attack can temporarily invalidate active target lists.
  • Secure OT/ICS assets against internet-exposed VNC (Z-Pentest threat): CISA's December 2025 advisory specifically documented NoName057(16)-affiliated Z-Pentest operators exploiting minimally secured internet-facing VNC connections to access ICS control systems. Any VNC or remote management interface for operational technology systems must be removed from internet exposure or placed behind VPN with MFA. CISA's OT security guidance should be applied to all water, energy, and food sector operational systems.
  • Prepare incident response plans for DDoS events: Organizations in regularly targeted sectors should have documented DDoS response playbooks that include escalation paths, upstream provider contact procedures, and communication plans. Many NoName057(16) attack disruptions last under 30 minutes — effective response reduces even these short outages and limits media impact that amplifies the group's political messaging.
analyst note — operation eastwood's limits

Operation Eastwood in July 2025 disrupted significant infrastructure and demonstrated that European law enforcement can identify and reach NoName057(16) operators who are physically accessible in Europe. However, the group's senior leadership and most operators assessed to be in Russia remain outside the reach of European law enforcement. The group's defiant Telegram response and continued post-Eastwood operations confirm that infrastructure disruptions alone do not degrade the group's operational capability to a meaningful degree as long as its leadership and volunteer base remain intact and motivated. The Kremlin's institutional backing through CISM provides operational resilience that persists beyond individual infrastructure takedowns.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile